mirror of https://git.tukaani.org/xz.git
36b531022f
The release files are signed but verifying the signatures cannot catch certain types of attacks: 1. A malicious maintainer could make more than one variant of a package. One could be for general distribution. Another with malicious content could be targeted to specific users, for example, distributing the malicious version on a mirror controlled by the attacker. 2. If the signing key of an honest maintainer was compromised without being detected, a similar situation as described above could occur. SHA256SUMS could be put on the project website but having it in the Git repository makes it obvious that old lines aren't modified when the file is updated. Hashes of uncompressed files are included too. This way tarballs can be recompressed and the hashes can still be verified. |
||
|---|---|---|
| .. | ||
| examples | ||
| SHA256SUMS | ||
| faq.txt | ||
| history.txt | ||
| lzma-file-format.txt | ||
| xz-file-format.txt | ||